Am I asking too much of an SG-3100?



  • I have an SG-3100 at my home office running 2.4.4

    It's running a number of services:

    • pfBlockerNG (devel)
    • Snort (on LAN and DMZ/OPT) with limited Snort Subscriber and ET Open Rulesets (search method is AC-BNFA)
    • ALTQ Traffic Shaping (HFSC on all three interfaces)

    The connection is an asymmetric 200/50.

    I'm almost continuously pegging 100% CPU even when my connection is only in moderate use.

    We have about 30-40 devices/servers/services/clients on the LAN and about 20 services (as unique private IPs) on the DMZ.

    Previous to the SG-3100 I had an old dual-core Celeron box running PFSense. While it seemed CPU was about the same I had a lot more RAM so I could run Snort with alternative search methods.

    Long story short, am I asking too much of the SG-3100?


  • LAYER 8 Netgate

    It would be helpful to know what is consuming the CPU.

    Diagnostics > System Activity might show interesting data as might top -aSH from the shell. You are looking for high CPU usage on anything except the idle processes.



  • @Derelict

    Snort @ ~95% for just 50mbit/s of TCP traffic (rclone operation) at the moment. (this is 95% on one of the cores in the box)



  • @SFmedia said in Am I asking too much of an SG-3100?:

    @Derelict

    Snort @ ~95% for just 50mbit/s of TCP traffic (rclone operation) at the moment. (this is 95% on one of the cores in the box)

    That CPU utilization seems a bit high for just 50 mbits/sec of traffic. Check and make sure that you don't have any duplicate Snort processes running on the box. That can sometimes happen if some things outside of Snort's control happen in rapid succession. Several firewall events trigger a "restart all packages' command from pfSense. If two or more of those "restart all packages" command happen in very quick succession, or if one happens to be issued while Snort is restarting from a rules update, you can wind up with more than one Snort processing running on the same interface.

    Here is how to check if you have that issue. Run this command from a shell prompt on the firewall:

    ps -ax | grep snort
    

    You should see exactly one Snort process per configured Snort interface. If you see any lines that match each other exactly, then you have a duplicate process. To get rid of the duplicate process, either reboot the firewall or perform these steps:

    1. Within the GUI, stop all of your Snort interfaces.

    2. Return to the shell prompt session and repeat the earlier command to list the Snort processes.

    3. If you see any running Snort processes listed, kill them using this command at the shell prompt:

    kill -9 <pid>
    

    where <pid> is the process ID for the running Snort process.

    1. Return to the GUI and restart your Snort interfaces.

    If you had multiple processes, then clearing them out should result in your CPU utilization coming down.



  • @bmeeks Thanks!

    Sadly I only see one snort process per interface

    96150  -  RNs   390:10.81 /usr/local/bin/snort -R 3474 -D -q --suppress-config-log -l /var/log/snort/snort_mvneta13474 --pid-path /var/run --nolock-pidfile -G 3474 -c /usr/local/etc/snort/snort_3474_mvneta1/snort.conf -i mvneta1
    96513  -  SNs    10:06.50 /usr/local/bin/snort -R 34922 -D -q --suppress-config-log -l /var/log/snort/snort_mvneta034922 --pid-path /var/run --nolock-pidfile -G 34922 -c /usr/local/etc/snort/snort_34922_mvneta0/snort.conf -i mvneta0
    

    I have the rules limited to the following:
    IPS Policy "Connectivity" using the VRT Subscriber Ruleset

    And the following ET Open rules:

    • Mobile Malware
    • Trojan

    Other options that depart from defaults:

    • LAN Preprocs: Auto Rule Disable (Enabled/Checked)
    • Disabled the Telnet, FTP, POP3 and IMAP Preprocs (no need for the first three and I don't care that much about IMAP either).

    Oddly, none of the changes away from the defaults change the usage that much in any direction.

    The current usage is a large B2 (the S3 clone) upload, so a few TCP connections from a FreeNAS server.

    last pid: 73590;  load averages:  1.60,  1.74,  1.77                                                                                                                                                                                                                                up 1+20:51:05  19:23:05
    56 processes:  2 running, 54 sleeping
    CPU:  4.3% user, 64.0% nice,  8.7% system,  6.5% interrupt, 16.5% idle
    Mem: 142M Active, 290M Inact, 208M Wired, 80M Buf, 1348M Free
    Swap:
    
      PID USERNAME    THR PRI NICE   SIZE    RES STATE   C   TIME    WCPU COMMAND
    96150 root          2 121   20   125M   103M CPU1    1 395:35  94.56% snort
    


  • Hmm... that's not a lot of rules in the big scheme of things. Surprised usage is that high. Is Snort your only package? And is that CPU utilization sustained or spikes up and down?

    I have an SG-5100 running more or less the same rules and I just checked my firewall and am seeing 1% CPU utilization. Of course at the moment not much is happening on my network. Even so, I've never seen a spike that high.



  • @bmeeks Indeed. Last week I started reducing rule-sets in an effort to see if I could change the behavior - but oddly, it seems to do little. Reboots, rule changes, etc. There is little to no change.

    In fact, a few months ago I had to switch back to Snort from Suricata, as not only was the usage equally out of control, I was suffering freezes/reboots randomly.

    I tried to use AC-STD as a search method on one interface but there's not enough RAM to load even a basic ruleset the firewall kept becoming unresponsive.



  • In an even stranger twist, I decided to see what if I just maxed out my connection.

    So I decided to try to sync a massive Google Drive share (~55GB) while continuing the NAS rclone operation while also using the web regularly and streaming some HD video at the same time.

    In addition to that other traffic on the network includes a number of servers and services.

    Running my connection at full tilt (200 in, 50 out), with ALTQ keeping things moving, the LAN interface Snort process is only using between 60% and 80% CPU.

    I really don't understand what's up.



  • I won't open a new topic, but I do have a similar problem with a I5 5250U processor. I have enabled Snort for WAN (igb0) with the Inline IPS Mode and selected the Connectivity mode. In addition I added Malware mobile Malware and Trojan in the conf file. I checked the Malware and Trojan, everything has been selected to Block status.
    Only 2 further packet are installed, pfblocker and acme. When checking my line speed with active snort, I received something like 400.000 MBits, without snort full I was back to 1000000MBits. During speedtest and active and inactive snort the cpu load was about 80%
    Looks like that the Inline Mode is eating some speed.


Log in to reply